Computing

Secrets of the digital detectives

Computing: How fraud-detection systems combine dozens of clues to spot suspicious patterns in mountains of transactions

THE pleasure of reading a classic detective story comes from the way that the sleuth puts together several clues to arrive at a surprising conclusion. What is enjoyable is not so much finding out who the villain is, but hearing the detectives explain their reasoning. Today, not all detectives are human. At insurance companies, banks and telecoms firms, fraud-detection software is used to comb through millions of transactions, looking for patterns and spotting fraudulent activity far more quickly and accurately than any human could. But like human detectives, these software sleuths follow logical rules and combine disparate pieces of data—and there is something curiously fascinating about the way they work.

Consider car insurance. Every Monday morning, telephone operators at insurance firms listen to stories of the weekend's motoring mishaps, typing the answers to several dozen standard questions into their computers. Once, each claim form then passed to a loss adjuster for approval; now software is increasingly used instead. The Monday-morning insurance claims, it turns out, are slightly more likely to be fraudulent than Tuesday claims, since weekends make it easier for policyholders who stage accidents to assemble friends as false witnesses. A single rule like that is straightforward enough for a human loss adjuster to take into account. But fraud-detection software can consider dozens of other variables, too.

If a claimant was nearly injured (because of an impact near the driver's seat, for example), the accident is less likely to have been staged and the claim less likely to be fraudulent, even if it is being filed on a Monday. Drivers of cars with low resale values are proportionately more likely to file fraudulent claims. But that factor is less important if the claimant also owns a luxury car, which suggests affluence. And if the insurance on the luxury car has expired, the likelihood of foul play drops further, since this increases the likelihood a person will drive a cheaper but properly insured car. And so on.

The staggering number of combinations, each an indication of fraud or legitimacy, underscores the limitations of human analysis. Fraud-detection software, however, can evaluate a vast number of permutations and deliver a fraud-probability score. And such programs are getting better as new claims provide extra statistics that can help tune the computational recipes, or algorithms, used to detect fraud.

German insurers, for example, recently noticed that claimants who call back shortly after filing, angrily demanding speedy settlement, are disproportionately more likely to be cheaters, says Jörg Schiller, an insurance expert at the Otto Beisheim School of Management in Vallendar, Germany. Evidently fraudsters consider themselves good actors. But when pugnacious policyholders call after the 20th of the month, the probability that they are acting decreases slightly, since funds from the previous month's paycheque may be dwindling. Mr Schiller says most car insurers in rich countries now use fraud-detection software, and those in developing countries are adopting it rapidly.

Play your cards right

With an estimated $250m in annual sales, and yearly growth topping 25%, the largest and fastest-growing category of fraud-detection software is that used to spot fraudulent credit-card transactions. According to the Association for Payment Clearing Services, based in London, such software is largely responsible for reducing losses from credit-card fraud in Britain alone from £505m ($925m) in 2004 to £439m ($799m) in 2005. Merchants implementing anti-fraud software for the first time commonly see losses from fraud reduced by half. Such software evaluates many parameters associated with each credit-card transaction, including specific details of the items being purchased (derived from their bar codes), to evaluate the likelihood of foul play in the form of a numerical risk score. Any transactions that score above a certain pre-defined threshold are then denied or challenged.

Buying petrol seems innocent enough. If no attendant is present, however, the risk score goes up, because fraudsters prefer to avoid face-to-face purchases. Buying a diamond ring soon after buying petrol results in an even higher risk score: thieves often test a card's validity with a small purchase before buying something much bigger. A $100 purchase at a shop that sells hard liquor is more likely to be fraudulent than a more expensive shopping spree at a wine shop, because whisky is easier to fence. A purchase of sports shoes is risky because trainers appeal to a demographic with less money than, say, buyers of golf clubs. Buying two pairs of trainers increases the risk, as this may indicate plans to resell them. Shoes in teenage sizes bump up the score further, since pre-teens are less likely to buy stolen goods. Sales in London, New York or Miami, all cities with vibrant black markets for shoes, push scores higher, as do purchases made during school holidays. The fraud history of individual shops can also be taken into account.

Seasoned criminals can, of course, figure out such rules and change their behaviour in an attempt to avoid detection. Some types of purchases are less likely to be fraudulent. A shopping spree in a linen shop, however, does not have much appeal to most criminals. However, says Mike Davis, a fraud expert at Butler Group, a consultancy, the “vast majority” of fraudsters are low-level opportunists fairly easily foiled by today's fraud-detection software. The situation, he says, is “spectacularly better” than it was just a few years ago.

But the technology trips up cleverer fraudsters too, using a variety of tricks. The software can, for example, assign a customised scoring algorithm to each credit card, depending on its normal usage patterns. That algorithm can then be fine-tuned after each transaction. If a card belonging to a Berliner has never been used to purchase a plane ticket or buy goods outside Germany, the system may block an attempt to book a Moscow-Tokyo flight leaving in three hours. An attempt to charge a moped to an elderly woman's card may fail. Cards are often blocked when the volume of transactions for which they are used abruptly spikes.

E-businesses using anti-fraud software now block about 8% of all transactions. Some aborted orders, of course, are not fraudulent. Each “false positive” reduces profits and angers an honest shopper. To limit such damage, risk managers (employed by the software developers or the merchants themselves) study sales data compiled before the anti-fraud software was implemented. This analysis helps retailers find the optimal score threshold to determine which orders they accept.

Online fraudsters have tricks of their own, of course. Carl Clump, the boss of Retail Decisions, a fraud-detection firm based near London with clients including Wal-Mart, Sears and Bloomingdale's, offers an example. Not long ago, American scammers began buying CDs of classical music with their purchases of expensive items, apparently in an effort to deceive anti-fraud systems (since such music is generally assumed not to appeal to young, tech-savvy criminals). Retail Decisions' software, called PRISM, detected the trend. Now, purchases that combine classical or opera CDs with expensive goods receive a higher score than purchases of high-cost items alone.

By reading a computer's internet-protocol address, anti-fraud systems can “geolocate” online buyers, and raise or lower scores depending on where they are. Most systems penalise customers in places such as Eastern Europe, China, Thailand and Vietnam. More dramatically, many merchants block all transactions from certain countries. As this practice becomes more widespread, many countries, mostly in West Africa, are being completely shut out of international e-commerce. SN Brussels Airlines, for example, uses software developed by Ogone, a Belgian firm that protects more than 6,400 European merchants, to shut out all computers in Liberia and Congo. Without it, says Bruno Brusselmans, director of online sales, “I don't even want to think about what would happen.”

Telecoms firms have always suffered heavily from fraud, which is thought to reduce industry revenues by around 5%. But new software that identifies fraudulent callers on mobile networks is helping some operators slash their losses. Telecom Italia's 140 anti-fraud engineers trimmed losses this year to less than 1% by freezing about 30,000 phones a month, says anti-fraud director Fabio Scarpelli.

Such spectacular drops in fraud are more commonplace in the developing world, where mobile operators now investing in the technology. David Ronen, of ECtel, a firm based in Rosh Ha'ayin, Israel, with more than 100 telecoms clients and galloping growth in poor countries, says his firm's software establishes the normal calling patterns of individuals in order to detect tell-tale “weird situations”. For example, if a mobile account opened in Shanghai, and sparingly used for local calls, begins making numerous calls from Beijing to a few numbers in a distant western province, then it is likely that a phone thief is calling friends back home.

Fair Isaac, a large fraud-detection firm based in Minneapolis, operates a system so fast that it can block dialled calls before they are even connected. The software, called Falcon, is widely used, since laws prevent many telecoms firms from terminating non-prepaid calls once they are connected. Wily criminals are increasingly operating black-market phoning businesses based in parks and on street corners. “You may see 30 people with cell phones on one corner and one guy is dialling all the numbers for them,” says Ted Crooks of Fair Isaac. The calls, often to expensive destinations in poor countries, sometimes last days, Mr Crooks says, because cheats use forwarding systems to serve many customers with a single call. Technology that can pinpoint handsets' locations, however, allows calls in “hot” areas renowned for such illicit operations to be blocked.

It is all a far cry from piecing together clues in a country house, or the drudgery of real-life detective work. But the result is the same. Life gets harder for the bad guys, and the honest citizens, who ultimately pick up the bill for fraud, are protected. The digital detectives, like those in mystery novels, arrive at their conclusions by combining apparently trivial morsels of information. But as Sherlock Holmes put it, “I am glad of all details, whether they seem to you to be relevant or not.”